To be fair this stuff is super esoteric. I get that these tutorials are aimed at beginners but it still assumes an absurd level of computer competency from the outset. I'm a recent Software Engineering grad and I feel completely out of my depth. I need to find an even more "for dummies" series than this and maybe then I can come back to this.
I would like to make videos that help people on your level. I’m wondering how I should approach it. Any ideas or examples? Wanna write me a mail LiveOverflow at gmail?
Dude, I'm really thankfull for your videos! As a selftaught coder it's sometimes hard to move on when there is nobody around you to help you out. But the biggest struggle I faced was not the code by itself. It were mostly the tools i had to use and I had no idea most of them even exist. Thank you very much for this video. This will help me to learn a lot faster than I did before. You're awesome.
If you are doing this in 2020 and want to move the nodes around you need to first toggle into graph cursor mode with "c" and then you can move nodes around. Shift + hjkl while not in cursor mode will just allow you to jump around visual mode faster.
Dear, although i only can understand less than 50% of your video, your are a very amazing guy! Thanks for your videos and i watch your each video more than 3times to try to understand what you say...
I am really impressed and inspired by the advanced content of the newer videos. The completionist in me has to start with your first videos :D I wonder if you use radare now.
I'm confused as to how you determined 0x4006da contained the key at 4:45 in the video. Can anyone explain this part to me please. Thank you in advance and love your videos so far LiveOverflow :)
Look at 4:27. The rodata section starts from 4006c0 and it's size is 4e, so it's range is from 4006c0 to 4006c0+4e. When we run till the string comparison and print addresses in the registers, 4006da is the only address which belongs in that range. So, we deduce that it must be the address of the string because we know the string is in rodata section.
You can also use Ghidra (free) from ghidra-sre.org; You’ll need Java 11 SDK. Ghidra is a disassembler that works on MacOS X and Windows, and should work on any platform that has Java 11 SDK/runtime, though you may have to figure out how to make (or modify) a launcher script for a Linux distro. It can use many of the IDA-Pro scripts from what I’ve been told, though I don’t have IDA-Pro, so I can’t really say (because it’s too expensive.)
I have a question when I try the same thing with hopper. I am not able to get those neatly formatted strings with characters, rather what i get in the pseudocode is the locations for those strings. is there any such option that you have enabled?
Hello. I understand why there are blue numbers that can't be traduced to ASCII, but do you know why there are untraductable Hex marked by ^ while some are marked by ? Why isn't written for example? It is confusing :0. Thanks!
This probably isn’t useful to you now, but for anyone wondering this in the future: ASCII values 0-31 are ‘control codes’ and can usually be typed with the control key plus a letter or special character. The control key is often represented by a caret (^). So ‘^C’ means control-C, which is ASCII value 3. Vim tries to print unprintable bytes as control codes, so any byte less than 32 will print as a ‘^@‘ or similar. Bytes larger than 127, though, are not in ASCII at all, so they are printed as or whatever hex value. TL;DR: Bytes < 32 are printed as ‘^C’ (control code), bytes > 127 are printed as ‘’ (hex code).
03:15 Is there some way to distinguish user code from those unknown library functions if they were statically linked into the executable and all we know is some random addresses? :q That would save a lot of time when analyzing programs because I would not have to try cracking the code that later tunrs out to be some library code irrelevant to the logic of the program :q
I just can't get the string from the address like you did at 4:35. When I stop at the breakpoint and look at the registers, they all point at a completely different location (except eip of course) and also don't hold strings. I'm on x86 btw.
Thanks man. Really useful. Debugging got easier for me. Can you please make a video on CHAINED ret2libc attack. I am actually stuck. There are two methods in it : ESP Lifting and FRAME FAKING and I am not able to make either one of them work.
how well does objdump show the assembly for the given hexcode. Also does objdump reliably output the proper assembly instructions for non-ELF file formats?
Can someone explain why register rsi is important and why it had the string AAAA-Z10N-42-OK in it? Is it common for the rsi register to hold the the comparing string when the function strcmp is called ?
Most viewed points are where you wrote the commands quickly and in tiny font at the bottom of the screen. Kind of frustrating, often seeing what was typed is impossible
Anybody having an issue like me where the .rodata address doesn't match the registers when running, try compiling with -no-pie flag so the address doesn't get randomized
Question at 4:19, you mentioned main should start at 0x4004d0 and we should be able to find this in the screenshot on the right, but in screenshot on the right, main starts at 0x4005bd? Also, .rodata starts at address 0x4006c0, so we would expect the license string to be at that address, but at 4:45, looks like license string is located at address 0x4006da instead?
I see, the binary code starts at 0x4004d0, which starts with other functions before "main": _start, deregister_tm_clones, register_tm_clones, __do_global_dtors_aux, frame_dummy, and finally "main" starts at 0x4005bd which is within the range (0x4004d0, 0x4004d0 + 0x1e2)
Also see that .rodata has this data, which also includes the license key at address 0x4006da: (gdb) x/10sb 0x4006c0 0x4006c0 : "\001" 0x4006c2 : "\002" 0x4006c4: "Checking License: %s " 0x4006da: "AAAA-Z10N-42-OK" 0x4006ea: "Access Granted!" 0x4006fa: "WRONG!" 0x400701: "Usage: " 0x40070e: "" 0x40070f: ""
Hey.. I have an issue with radare2 while trying to rerun the program using ood. tried to edit the ptrace scope but with no use. When i use ood, it reopens the file in read-write mode and tries to attach . "ptrace attach : operation not permitted" this is the error. do u have any idea about this
hey bro, like you changed the disassembly flavor in gdb using "set disassembly-flavor intel", can we do something similar in radare2 as well? As I firmly believe that the disassembly shown in gdb is much more easier to understand than the one in radare2
Awesome tutorials, I have a question. When I look at the pseudo-code, it's doesn't include the nicely formatted strings like your video shows: nt main(int arg0, int arg1) { var_10 = arg1; if (arg0 == 0x2) { printf(0x4006c4); if (strcmp(*(var_10 + 0x8), 0x4006da) == 0x0) { puts(0x4006ea); } else { puts(0x4006fa); } } else { puts(0x400701); } return 0x0; } Any ideas?
using Kali which has Radare2 pre-installed, when i run 'VV' it launches a web server and I get a GUI :( Not as cool as the terminal graph, how do i get rid of it !
I tried the: ltrace ./license TEST It does not give me the strcmp command line. But with "objdump -d" i can find the strcmp.plt as i saw in your video, 3:18 objdump also tells me that it must be somehow related to glibc: # 3fd0 Still ltrace doesn't print the strcmp line. Does it have to do with the compiler version? [gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)]
With the file command i found that your ELF is a 'executable' with 'dynamic linked' libraries my ELF was a 'shared object' with 'dynamic linked libraries' i tried compiling it with '-static ' parameter so i got a 'executable' but it was 'statically linked' and got a increased filesize. I don't know how you compiled it, maybe there are special parameter you used? Your's is also half the size on mine. (16kb vs 8kb), i thought maybe it could have something to do with 32 and 64 bit, but your file stated that it is a "ELF 64-bit LSB".
Anyone else have issues opening certain manual pages? Digging around Google, I've seen others with this issue, but so far none of the solutions have worked. I've read in one place that it could be a bug?
Not sure which programs you're referring to in particular, but I'm willing to bet it's the one's related to C functions, like "man strcmp" and etc. You can install these with "sudo apt-get install manpages-dev" and "sudo apt-get install manpages-posix-dev". They should work now.
I have a question: We saw with ltrace what the arguments of strcmp were. If we want to make our program more secure, what would we do? Attach some crypto to it ?
Been following this channel and have to say, you got some really dope content! One question regarding redare2 while installing on Ubuntu, after doing the setup and running r2, i get an error saying ` r2: error while loading shared libraries: libr_core.so: cannot open shared object file: No such file or directory `. Any idea how to solve ? I looked online and it seems like its not able to get the shared path of the library.
Hey. Thank you very much for your tutorials. I have a small issue with R2... I ran through this tutorial a couple nights ago and I was able to recreate everything you did but tonight when I try in R2 to press VV to display the graph, it opens in its webUI and I can't seem to figure out how to change it back. So I hit VV after seeking to the main func but it opens up my chrome explorer and shows me a graph in there instead. I mean its probably a sophisticated feature but I don't want it at this point... Thanks again!
Not sure what the deal was. My r2 was acting weird. It wasn't giving me the silly message when you open it and different ouputs for this or that. I deleted my apt version and installed from git and now its working again. Thanks!
6 лет назад
At 9:09 I can't use 'aaa' anymore, so what alternative command should I use? Thank you
hello bro , tell me please how i can clear memory and register for do fast action and speed cpu for instruction with assembly code ? thank you very much
Hello friend, good video, I would like to know if you have any program with the one of the vidoe but that works for windows. I am interested in unzipping a firmware made for the msd7816 chip of the mstar company.
I personally don't know of any programs like this that work for Windows, but honestly, I think you'd be better off looking into WSL (Windows Subsystem for Linux) or using a VM (Virtual Machine) like Virtual Box or VMware Workstation with Linux VM on it.
I think if you watched his previous video it would be clearer. Basically the jne jumps to its address if not equal to 2. If it _is_ equal then the code will continue sequentially from that point (i.e. no jump) and 4005ea is the next major instruction (if you skip all the movs and adds)